Severity Score: Medium
CVSS score: 6.9
Vecto string: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

Description:

Feehi CMS 2.1.1 allows admin user create the new role but lack of santitize or filter input in the role name. Leak to attacker can inject the XSS payload. It store the payload in the database.

Impact:

If the admin view the the log, the malicious JS will execute and it can leak to steal others admin's cookie.

POC:

Step 1: Create new role.

Step 2: Enter the XSS payload in the role field and save it.

Step 3: When admin create a new role, the malicious role contain XSS payload will appear and execute.

Mitigare:

1/ Use filters to filter tags or events.
2/ Encode the special characters like <, >, (, ), etc.